https://wiki.multitheftauto.com/wiki/Serial
Since few days I'm trying to generate/spoof new MTA serial. What I've already tried:
- Hooking WMI(it uses it for retrieving bios serial etc., but hooking doesn't change serial)
- Hooking DeviceIoControl (it uses it as well, for retrieving hard drive serial, seems to be called on each connect with the server) didn't work
- Hooking GetAdaptersInfo for MAC spoof - didn't work
- Hooking internal API function GetSerial (netc.dll) worked, the serial looked changed but when joining the server original serial was used(probably there's one more )
- Reinstalling GTA+MTA and hooking again in the hope it will change.
Additional info: the serial is also stored in the registry but it doesn't mean anything as the serial used in hand shakes is in memory.
Other possibilities:
- SID (generated uniquely on each new windows installation), there's a changer available http://www.stratesave.com/html/sidchg.html but I'm afraid to use it and prefer to do it without modifying my system. Some people tell their serial changed after upgrading/reinstalling their windows.
- The serial is stored somewhere on the hard-drive, or just a binary with hardware data.
Did you manage to reverse what is used to generate the serial/or where the serial is stored?
Netc.dll is injected in both Multi theft auto.exe and gta_sa.exe but 90% it's generated in gta_sa.exe
I'm doing it for purely educational purpose and not intend to hack on servers, as I'm just curious of the method but it's kept as a 'secret' and knowledge only available to MTA staff.
They also have the driver FairplayKD.sys but I doubt it's generated there. It is a 'sandbox'.
The serial is an MD5 hash most probably (or not 128bits = 16 bytes) but I doubt advapi32.dll functions are used for that.

Help appreciated in my research as I'm really curious what is behind it... but trying to do it by myself makes me cry.

Update:
the serial is generated from 'checksum' stored in the registry, it's not even md5(HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMulti Theft Auto: San Andreas All1.5Settingsgeneral) value is named 'cachechecksum'.
Checksum looks like: 12CC2B5B:4B4552GGCCGGDF5FF:F4213
It is hashed with MD5: 540D6A2D8D207A67FF77D91D29EBB448
Part of the hash is prepended to the checksum and 2nd part of it is appended, the final value stored in registry looks like:
540D6A2D8D207A6712CC2B5B:4B4552GGCCGGDF5FF:F4213FF77D91D29EBB448
The real serial shown in the console is simply this:
12CC2B5B:4B4552GGCCGGDF5FF:F4213
But 'obfuscated' a little bit(all characters are decreased by 1, : is replaced by 9)
01BB1A4A93A3441FFBBFFCE4EE9E3102
As you should've been noticed it's not even hexadecimal
Spoofing the checksum works and the serial is changed. But still, it's not used in the connection phase. After removing the checksum the new checksum is added with RegSetValueExW. So we have to somehow trace the calls and find the origin... but it still ain't easy.
The question still remains the same: how the checksum is generated and from where does it come from.

I apreciate your try, but, Did you finally get it?

y on connection it changes back

Which file's has is the cachechecksum?

Cachechecksum is a registry value, other serial values are used, peek around in different places, server sends back new cachechecksum with packet id 2, blablabla, serial generation is in other place + there are multiple instances of it, so serial faking is hard but still possible

First of all, sorry for my English (google).
Allow me to congratulate you for your knowledge and the desire to learn that you have.
Yes, apparently it is not an easy task, I spent only a few hours to see what it was about. And yes, most likely it takes binary data from hardware and there the serial is generated, I think the easiest thing would be to try to change all the serial or 'ids' of the hardware, system and then reinstall everything. If you find the solution please share it privately, so MTA does not look for another solution haha. Greetings.